本研究使用質性研究以及紮跟理論的三種編碼方法，希望從中探究資訊系統開發過程應注意之資訊安全議題。在研究結果中發現，第一，組織對於不同資訊安全議題，其所注重的程度也不盡相同。第二，各種不同的資訊安全議題，也會互相影響。第三，一個資訊安全議題，可能在數個不同的系統開發階段中受到重視，組織在進行資訊系統開發時，應該注重這些在不同開發階段都會引起討論的議題。
　　基於本研究的結果，第一，我們建議資訊系統開發的管理者，在系統開發的階段中，應該更重視資訊安全的議題，以建立更完善的資訊安全管理機制。第二，各個資訊安全議題之間可能互相影響。因此組織在進行系統開發時，應該注意到許多的資訊安全議題都是會互相影響的。最後，組織所看重的資訊安全議題，會因不同的系統開發階段，而有所區別。也可以讓組織更加注意到，在多個系統開發階段中都會引起重視的資訊安全議題。

This research used qualitative research and grounded theory, to explore information security issues in the information system development process. In this study, there are several findings. First, the organizations identify various information security issues to implement the information security mechanisms. Second, there are strong connections between security issues. Third, several critical security issue are addressed in the system development process.

Based on our findings, first, we suggest the information system managers have to establish robust information security mechanism to implement high quality services. Second, organizations should focus on different information security issues in different system development processes, because there are significant mutual operations between several critical security mechanisms. Finally, the managers have to focus on key information security mechanism from the initial to the end of the system development phases.

摘要	I
Abstract	II
 第一章　緒論	1
 第二章　文獻探討	5
2.1	資訊安全	5
2.2	資訊安全管理標準	9
2.3	系統開發與資訊安全	13
 第三章　研究方法	18
3.1	研究個案	18
3.2	訪談流程	20
3.3	資料分析	22
 第四章　資料分析與結果	24
4.1	開放性編碼與結果	24
4.1.1	「規範」之編碼統計	26
4.1.2	「組織安全計畫」之編碼統計	28
4.1.3	「資源」之編碼統計	30
4.2	主軸編碼與結果	31
4.2.1	「規範」之編碼交互統計	31
4.2.2	「組織安全計畫」之編碼交互統計	31
4.2.3	「資源」之編碼交互統計	34
4.3	選擇性編碼與結果	37
 第五章　結論	43
5.1	研究結果	43
5.2	研究貢獻	45
5.3	研究限制	46
參考文獻	47
附錄	50

 
表目錄
表2-1：資訊安全定義	7
表2-2：ISO 27001與COBIT標準比較表	11
表2-3：TCSEC安全等級介紹	12
表3-1：訪談對象分類表	20
表4-1：編碼統計表	24
表4-2：「規範」編碼統計表	27
表4-3：「組織安全計畫」編碼統計表	29
表4-4：「資源」編碼統計表	30
表4-5：編碼交互關係表	36
表4-6：選擇性編碼統計表	40
表4-7：各階段重視項目表	42

1.Amit, R., and Belcourt, M.,“Human resources management processes: a value-creating source of competitive advantage,” European Management Journal(17:2), 1999, pp.174-181.
2.Barnard, L., and von Solms, R. “A formalized approach to the effective selection and evaluation of information security controls,” Computers & Security(19:2), 2000, pp.185-194.
3.Boehm, B. W.“A spiral model of software development and enhancement,” Computer (21:5), 1988,pp.61-72.
4.Budde, R., andZullighoven, H. “Prototyping revisited,” CompEuro'90. Proceedings of the 1990 IEEE International Conference on Computer Systems and Software Engineering,IEEE, 1990, pp. 418-427.
5.Chen, C. C., Shaw, R. S., and Yang, S. C.“Mitigating information security risks by increasing user security awareness: A case study of an information security awareness system,” Information Technology Learning and Performance Journal (24:1), 2006, pp.1.
6.Clarke, R.A. “Information Technology and Data Surveillance,”Communication of the ACM(31:5), 2000, pp.498-512.
7.COBIT 5, A Business Framework for the Governance and Management of Enterprise IT.
8.Dhillon, G., andBackhouse, J. “Technical opinion: Information system security management in the new millennium,” Communications of the ACM (43:7), 2000,pp.125-128.
9.Ellison, R. J., Linger, R. C., Longstaff, T., and Mead, N. R.“Survivable network system analysis: a case study,” IEEE Software (16:4), 1990, pp.70-77.
10.Eloff, M.M., and Von solms S.H. “Information security Management: An Approach to Combine Process certification and Product Evalutio,”Computers and Security(19:8), 2000, pp.698-709.
11.Garfinkel, S., Spafford, G., and Schwartz, A.  Practical UNIX and Internet security, O'reilly, 2003.
12.Glaser, B. G., and Strauss, A. L. The Discovery of Grounded Theory: Strategies for Qualitative Research, London, Weidenfeld and Nicholson, 1967.
13.Goldman, J.E. Applied data Communications: A Business Oriented Approach, 2nd ed. NY, John Wiley & Sons, 1988.
14.Gollmann, D. Computer Security. NY, John Wiley & Sons, 1999.
15.Gollmann, D. “Computer security,” Wiley Interdisciplinary Reviews: Computational Statistics (2:5), 2010,pp.544-554.
16.Hall, A., and Chapman, R. “Correctness by construction: Developing a commercial secure system,” IEEE Software (19:1), 2000,pp.18-25. 
17.Hartman, B., Donald, J. F., and Konstantin B. Enterprise Security with EJB and CORBA, Vol. 16, NY, John Wiley & Sons, 2002.
18.Hone, K., andEloff, J. H. P.“What makes an effective information security policy?”Network Security(6), 2002,pp.14-16.
19.ISO/IEC 17799, Information technology –code of practice for information security management.
20.Kankanhalli, A., Teo, H. H., Tan, B. C., and Wei, K. K. ”An integrative study of information systems security effectiveness,” International Journal of Information Management (23:2), 2003, pp.139-154.
21.Karyda, M., Kiountouzis, E., and Kokolakis, S., “Information systems security policies: a contextual perspective”, Computers & Security (24), 2005, pp. 246-260.
22.Keen, P. G. W., Ballauce, C., Chan, S., and Schrump, S. Electronic commerce relationship: Trust by design, Englewood Cliffs: Prentice Hall, 2000.
23.Kemp, M., and Kemp, M. “Beyond trust: security policies and defence-in-depth,” Network Security(2005:8), 2005, pp.14-16.
24.Kwon, S., Jang, S., Lee, J., & Kim, S. ”Common defects in information security management system of Korean companies,” Journal of Systems and Software, 80(10), 2007 ,pp.1631-1638.
25.Laudon, K. C., and Laudon, J. P. Management information systems: organization and technology in the networked enterprise, 6th ed. Upper Saddle River, New Jersey, Prentice-Hall, Inc, 2000.
26.Lewis, B. R., Snyder, C. A., and RainerJr, R. K.“An empirical assessment of the information resource management construct,” Journal of Management Information Systems (12:1), 1995, pp.199-223.
27.Loch, K. D., Carr, H. H., and Warkentin, M. E.“Threats to information systems: today's reality, yesterday's understanding,” MIS Quarterly (32:3), 1992,pp.173-186.
28.Marron, J. S., Adak, S., Johnstone, I. M., Neumann, M. H., andPatil, P.“Exact risk analysis of wavelet regression,” Journal of Computational and Graphical Statistics(7:3), 1998, pp.278-309.
29.Neumann, P.G.Computer Related Risks, NY, ACM Press, 1995.
30.Osborne, K. “Auditing the IT security function,” Computers & Security(17:1), 1998, pp.34-41.
31.Parker, D. B. “The Srategic Values of Information Security in Business, “ Computers and Security, 16, 1997, pp. 572-582.
32.Premkumar, G., and King, W. R. “Organizational characteristics and information systems planning: an empirical study,” Information Systems Research(5:2), 1994, pp.75-109.
33.Royce, W.W. “Managing the development of large software systems: Concepts and techniques,”IEEE WESTCON, Los Angeles, CA, 1970.
34.Russell, D. A., and Gangemi, G. T. Computer security basics, O'Reilly, 1992.
35.Schneider, E.C., and Therkalsen,G.W.“How Secure Are Your Systems?” Avenues to Automation,1990, pp.68-72.
36.Shelly, G. B., Cashman, T. J., and Rosenblatt, H. J. Systems analysis and design. Cengage Learning, 2010.
37.Siponen, M., and Willison, R.“Information security management standards: Problems and solutions,” Information & Management (46:5), 2009, pp. 267-270.
38.Smith, M. “Computer security-threats, vulnerabilities and countermeasures,” Information Age(11:4), 1989, pp.205-210.
39.Straub, D. W., and Welke, R. J.“Coping with systems risk: security planning models for management decision making,” MIS Quarterly, 1998, pp. 441-469.
40.TCSEC: Trusted computer system evaluation criteria, Technical Report 5200.28-STD, U.S. Department of Defense
41.Vroom, C., and von Solms, R., “Towards information security behavioral compliance,” Computers & Security, (23), 2004,  pp. 191-198
42.Von Solms R., Van Haar H., Von Solms S. H., and Caelli W. J., “A Framework for Information Security Evaluation ,” Information & Management , 26, 1994, pp. 143-153.
43.Weber, R. Information System Control and Audit. New Jersey, Upper Saddle River: Prentice Hall, 1999.